ServiceNow SimpleList Widget Vulnerability
Link: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1553688
recent vulnerability affecting the ServiceNow service portal widget called SimpleList from an ethical hacker who posted on a blog.
This vulnerability effects public Service Portal pages using the SimpleList widget where the SimpleList points to tables that have empty ACLs. If you have the High Security plug-in or have IP filtering, the vulnerability doesn’t apply.
For more information, see the attached communication , have received from ServiceNow and ensure you review this KB.
we noticed that:
For more information, see the attached communication , have received from ServiceNow and ensure you review this KB.
we noticed that:
- ServiceNow’s operational team has made updates to the platform a mitigate the issue.
- You can view the relevant changes by updating this link with your own ServiceNow instance name:
- [Instance Name].service-now.com/sys_security_acl_list.do?sysparm_query=sys_scope%3Dc026625edb28a200c089f100cf96199a%5Esys_updated_by%3Dsystem%40snc.maint%2Cadmin&sysparm_view=
- You can also check this link [instanceName.service-now.com/sys_security_acl_list.do?sysparm_query=script%3DNULL%5EconditionISEMPTY%5Esysscope%3Dc026625edb28a200c089f100cf96199a%SERLQUERYsys_security_acl_role.sys_security_acl%2C%3D00%2Cm2m%5EENDRLQUERY%255Esys_scope%253Dc026625edb28a200c089f100cf96199a] to see if you have any blank ACLs. You will likely see one blank ACL (x_cls_clear_skye_i_role.*) in that list, but because it’s a child ACL, it is secured by the parent base table ACL. We assess the risk of this to be low.
- contact ServiceNow Support to request they implement the fix on your instance if the link above shows you any records other than one mentioned above.
support.servicenow.com
General Information | Potential Public List Widget Misconfiguration - Support and Troubleshooting - Now Support Portal
1. Overview ServiceNow is aware of the recent publications describing a potential misconfiguration issue that could result in unintended access and is actively investigating the reports that we have observed
support.servicenow.com
1. Overview ServiceNow is aware of the recent publications describing a potential misconfiguration issue that could result in unintended access and is actively investigating the reports that we have observed
- Get link
- X
- Other Apps
Labels
info service portal
Labels:
info
service portal
- Get link
- X
- Other Apps
Comments
Post a Comment